[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] RAQ3 vulnerabilities
- Subject: RE: [cobalt-security] RAQ3 vulnerabilities
- From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
- Date: Tue, 4 Dec 2001 10:45:17 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Lots of people wrote:
<snip various comments about physical access>
I've said this before in different contexts; it bears saying again.
I work for the UK's largest dedicated hosting company (don't worry about the
semantics; yes Verio/WorldCom/Planet/etc have a larger hosting presence than
us but they do other things too). We host several thousand RaQs, Windows
machines, Linux boxes of all shapes and sizes, Sun boxes, BSD, yadda yadda
yadda.
One of the reasons we are where we are is that the staff here do not go
faffing about with people's machines (unless specifically asked by the
owner/contract holder).
Any hosting or colocation centre which is at least giving the impression of
a professional outfit would not dare employ staff who are so stupid as to go
sticking their fingers in customers' machines. If they did, those staff
would soon be replaced and would probably find it very difficult to work in
this industry again - word gets around pretty quickly in this town - if they
didn't find themselves in trouble with the law (depending on the local
variations of computer access laws).
Let's face it; if I was to let myself into one of our datacentres and go
exploring, what would I find? A bunch of irrelevant (to me) website files,
perhaps some e-commerce applications, maybe even some warez. And lots and
lots of meaningless emails, amongst all the spam. I'm not interested. I
don't care what's on the machines, I just wanna keep the things running. If
they break, I fix them. The data is irrelevant.
Colo/host centres are, in the majority of cases, staffed by professionals; I
preclude any 'companies' which are run by sixteen-year-olds in the spare
room of their parents' house with RaQs teetering on top of filing cabinets
in that description. If anyone wants to host somewhere like that, go ahead -
YGWYPF :)
Unless you pay for a leased line to your own premises where only you have
access, then someone else is *always* going to have physical access to your
machine. Trust depends on how the outfit you go with portray themselves, I
guess.
Graeme
--
Graeme Fowler
System Administrator
Host Europe Group PLC